Encrypt Nuxeo password in database

We are using Nuxeo 5.6-RC2. We are connecting via oracle template. We have also customized nuxeo to use our customized pre-made users instead default nuxeo users.

Now, username and password Administrator and Administrator are placed in MY_CUSTOMIZED_USERS table, and obviously they are not encrypted. In production environment, users have access to database and they can see Administrator password.

Is there anyway we can customize Nuxeo to have our login passwords in database encrypted?

0 votes

2 answers

3826 views

ANSWER



Only the initial Administrator password, that is the word “Administrator”, is not encrypted as the assumption was made that it needs to be reset anyway to make it secure. The moment you change the Administrator password, it does get encrypted.

Please make a test and change your Administrator password and then query the users table to see if that indeed is the case.

1 votes



Thanks Wojciech I changed the password and as you said it got encrypted in database. But as we have made our custom users by making our own user directory.

Thats the xml of our contribution:

<extension target="org.nuxeo.ecm.directory.sql.SQLDirectoryFactory"
    point="directories">

   <directory name="RecmUserDirectory">
    <schema>user</schema>
    <idField>username</idField>
    <passwordField>password</passwordField>
    <passwordHashAlgorithm>SSHA</passwordHashAlgorithm>
    <autoincrementIdField>false</autoincrementIdField>
    <dataSource>java:/nxsqldirectory</dataSource>
    <table>recm_users</table>
    <dataFile>data/users.csv</dataFile>
    <createTablePolicy>never</createTablePolicy>
    <querySizeLimit>15</querySizeLimit>
     <nativeCase>true</nativeCase>
    <references>
      <inverseReference field="groups" directory="groupDirectory"
        dualReferenceField="members" />
    </references>
  </directory>

user.csv contains our user's username and password but they are not encrypted.

The point is that <passwordHashAlgorithm>SSHA</passwordHashAlgorithm> says that password needs to be SSHA encrypted but in database it is initially un-encrypted, unless we change it.

Is there anyway that our initial passwords are stored in database as encrypted?

08/28/2012


If <passwordHashAlgorithm>SSHA</passwordHashAlgorithm> is in the config then Nuxeo will encrypt any password it writes, but will still be able to read unencrypted ones.

If you populate the password database using an external system, then you'll have to do the encryption yourself. You can see how SSHA is implemented by reading the code at https://github.com/nuxeo/nuxeo-services/blob/master/nuxeo-platform-directory/nuxeo-platform-directory-sql/src/main/java/org/nuxeo/ecm/directory/sql/PasswordHelper.java

2 votes



Perfect. Thanks Florent.
09/25/2012